Last week, security researchers identified a series of vulnerabilities affecting almost all Wi-Fi devices, from computers to refrigerators. The vulnerability could allow attackers to intercept wireless communications and potentially steal credentials and other sensitive information. The vulnerabilities are collectively referred to as KRACK.

The good news is that computers running Windows and Linux already have patches available. Microsoft included fixes in the October 2017 Patch Tuesday updates.

Apple says that fixes are ready for MacOS, but there’s no word on exactly when they will actually be made available.

The bad news is that mobile devices, particularly those that run Google’s Android operating system, are vulnerable, and in some cases, might stay that way indefinitely. That’s because even though Google has prepared fixes for Android, those fixes won’t get to devices made by other vendors until those vendors make them available. Some vendors are better than others at pushing updates to their devices. Worse, some devices running older O/S versions may never get updates at all, rendering them permanently insecure.

There are mitigating factors. First, because of the responsible way in which these vulnerabilities were reported, Microsoft and other major players have had time to develop fixes, while details of the vulnerabilities were kept relatively secret until recently. That means we have a head start on the bad guys this time.

Second, exploiting these vulnerabilities requires close proximity. Attacks based on these vulnerabilities can’t be executed over the Internet.

Use caution with unpatched devices

If you use a public Wi-Fi access point with an unpatched device, you’re exposed. So until patches for your device become available, you might want to disable its Wi-Fi when you’re not at home. Most devices have settings that prevent automatically connecting to Wi-Fi networks it finds in the vicinity.

IoT devices may remain vulnerable forever

‘Internet of Things’ (IoT) devices, including thermostats, cars, appliances, and basically anything that can have a computer stuffed into it, often connect to the Internet using Wi-Fi. There are no security standards for IoT devices yet, and many are extremely unlikely to ever be patched.

Recommendation: identify all of your IoT devices that have the ability to connect to the Internet. For each, make sure that you’re using a wired connection, or disable networking completely, if possible. As for devices that connect to the Internet via Wi-Fi and cannot or won’t be patched or disabled, consider taking them to the nearest landfill.

Although it’s rapidly losing its relevance, Java still poses a security risk for any computer on which it’s installed. Java’s dangers are significantly lower now than in the past, because of all the major browsers, only Internet Explorer still runs Java code. All the others have stopped supporting Java completely.

Those of you still using Java, especially in Internet Explorer, should install Java 8 Update 151, because it includes fixes for twenty-two security vulnerabilities.

The easiest way to update Java is to visit the official Verify Java Version page, which will provide an update link if you’re running an out of date version.

If you want to test your web browser’s performance and memory management, just point it to the full change log for Chrome 62.0.3202.62. It’s a behemoth, documenting over ten thousand distinct changes.

Given the number of changes in Chrome 62.0.3202.62, I decided to skip reading the log and trust that Google would point out anything interesting in the release announcement.

The announcement for Chrome 62.0.3202.62 documents thirty-five fixes for security vulnerabilities, so clearly this is an important update. As for the other changes, Google says only this:

Chrome 62.0.3202.62 contains a number of fixes and improvements — a list of changes is available in the log. Watch out for upcoming Chrome and Chromium blog posts about new features and big efforts delivered in 62.

Chrome usually updates itself within a few days of a new release. You can trigger an update by navigating to the About page: click the three-vertical-dots menu button, then Help > About Google Chrome.

On October 9, Mozilla released Firefox 56.0.1, which is notable in that it’s the first version that will automatically upgrade 32-bit Firefox to 64-bit Firefox. The 64-bit version has been available for a while, but Mozilla chose to hold off automatically upgrading 32-bit installs to 64-bit until now.

As usual, there was no announcement for Firefox 56.0.1 from Mozilla. Not even CERT helped here, since the new version doesn’t contain any security fixes. I learned about the new version when Firefox itself prompted me to upgrade on October 18, more than a week after the release.

On the positive side, the upgrade from 32- to 64-bit Firefox on my Windows 8.1 computer worked flawlessly. Somewhat oddly, the 64-bit version installed in the same directory as the 32-bit version: C:\Program Files (x86)\Mozilla Firefox. On 64-bit versions of Windows, 64-bit applications usually get installed in C:\Program Files. Regardless, I haven’t experienced any new problems or strange behaviour, and my old Firefox shortcuts still work. According to Mozilla, the 64-bit version of Firefox is demonstrably more stable and secure.

And just like that, we get another version of Flash, this one addressing a single security vulnerability. From the security bulletin: “Adobe is aware of a report that an exploit for CVE-2017-11292 exists in the wild, and is being used in limited, targeted attacks against users running Windows.”

Anyone still using Flash in their web browser should install the new version as soon as possible. You can check which version you’re running and download the new one at the Flash version checker and download page.

As usual, Chrome will get the new Flash via its own internal update system, and Microsoft browsers will be updated via Windows Update.

Imagine a world in which there were no software updates; no security vulnerabilities; no bugs at all. The idea of such a place makes me happy. This utopia is destined to remain a fantasy, sadly. All software has bugs, and that will never change.

Inspection of Microsoft’s Security Update Guide (SUG) as of 10am today shows the usual massive list of updates, only some of which will affect most of us. You can wade into that if you have some time and access to painkillers, or you can download the list and open it in Excel, which is a lot easier to work with, and is what I do.

Analysis of the update data shows that there are fifty updates this month. Sixteen of those updates are flagged as Critical. A total of sixty-seven vulnerabilities in Windows, Office, Internet Explorer, and Edge are addressed.

As usual, the announcement of this month’s updates does little more than tell us what we already knew: that there are updates today, and where to find them.

Time to patch those computers!

Update 2017Oct11:The Register points out that while vulnerabilities affecting Windows 10 are being patched by Microsoft as soon as they are identified, Windows 7 and 8 systems don’t get those updates until the next Patch Tuesday. This creates an opportunity for malicious persons to analyze the Windows 10 updates and create exploits that work on Windows 7 and 8.

In the late 1990s and early 2000s, when formatted email first became widely-used, displaying formatted email was dangerous, because vulnerabilities in Windows allowed specially-crafted email to execute code on the recipient’s machine. Merely previewing formatted email was risky.

Windows updates and email client changes reduced the effectiveness of malware embedded in the content of email, although clickable links and attachments were still — and continue to be — dangerous.

These days, the dangers of enabling formatted text and images in email are mostly about privacy. A significant portion of all email — especially email sent through mass messaging services like Mailchimp — contains tiny images that, when viewed in an email client, tell the sender when you viewed it. This information is used by the sender to determine the effectiveness of their email campaign. It’s not dangerous, but it is creepy. Of course, not all embedded images are there for marketing reasons; some have more nefarious purposes.

The dangers of email can be almost eliminated by configuring your client software to display email in plain text (without any formatting), and without images. Better still, for those concerned about having their actions tracked online, using text-only email prevents any image-based tracking that would otherwise occur when you open your email.

Most desktop email client software has options that force all email to be viewed in a plain text format. Web-based clients are less likely to offer this option, but some, including GMail, can at least be configured not to display images.

I have always recommended the use of text-only email, and I follow my own advice. Email is still the easiest way for malicious persons to induce unwary users into taking actions that should be avoided. As long as that’s true, the only truly safe way to use email is to disable formatting and images. This also makes email less engaging, but I’m willing to forego fancy-looking email for safety and privacy.

jrivett’s Tweets

New white paper confirms that compromising encryption (to make law enforcement a bit easier) is a very bad idea. AG and FBI officials are really just advertising their own weakness when they complain about this. techdirt.com/article…

Describing his hobby as 'fun' and saying “I never intended for anyone to get shot and killed”, this serial Swatter will hopefully get 10+ years behind bars for his role in a Kansas death-by-SWAT. krebsonsecurity.com/…